Last Updated on January 24, 2016 by Dishan M. Francis

MFA, I am sure it’s not a new concept today for IT administrators. Its additional layer of security to confirm the user identity. It can be in form of PIN verify, phone call, smart cards, biometrics etc.

This feature is mainly used in infrastructure when its release, extending its services to “internet face”. There are lot of MFA service providers in market. You can either use it as on-premises service or cloud based service.

When it comes to azure the same security concerns applies. If you integrated it with on-premises active directory security is more concerned as it will extend the security boundaries of the infrastructure.

In this article I will demonstrate how “easily” you can enable multi-factor authentication for azure user.

In my demo I have a windows server 2016 TP4 on-premises AD configured to sync with azure ad. I am going to enable MFA for an azure user account which is sync from on-premises AD.

1)    Log in to your azure portal
2)    Then brows > Active Directory

mfa1

3)    Load your AD directory and go to users

mfa2

4)    For my demo I am using user account “user1”, this user account is sync from local active directory
5)    Select the user account and click on “manage multi-factor authentication

mfa3

6)    Then it will load a new page to manage MFA. As you can see currently for “user1” MFA disabled

mfa4

7)    To enable, click on tick box next to “user1” and click on option ”enable” in right hand panel

mfa5

8)    Then it will open a pop up window with help options. Click on “enable multi-factor auth

mfa6

9)    Now it’s enabled. Let’s try to log in azure portal as the use to see.

mfa7

10)    Then it saying MFA is enabled and it need to setup. Click on “setup now” to proceed

mfa8

mfa9

11)    Then in next page it gives option to select the authentication method.
12)    There is 3 ways to authenticate

Authentication phone – This will send SMS or also can setup to call back to the given number. Please note if you use this option SMS and call charges will be added.

Office Phone – This option is to request contact using office phone specified by admin

Mobile App – With this option you can install mobile application (Azure Authenticator) on your phone and it can set to send notification via app when try to login or to use verification code

mfa10

13)    Once select the option and its settings, click on setup

mfa11

14)    In my demo I used mobile app option. Once its completed the setup (you need to follow different options to setup based on your selection) let’s check the login page again

mfa12

15)     Now it’s asking for the PIN verification before login.

As we can see now MFA is enabled for the selected azure ad user.
In future post I will explain how we can change settings for MFA.

If you have any question feel free to contact me on rebeladm@live.com